Ooof I'm just going to chime in with the opposite answer. I'm not saying its completely wrong to have a single endpoint, but there are things to consider...
Try to avoid using the user role in business logic if possible and have two distinct endpoints.
Show the active inventory
Show all or inactive inventory
The reason this is better than having a single endpoint and examining the role to decide what to return is hard to explain. But if you go down the route of roles are part of business logic, it changes your security layer from being a "cross cutting concern" that you can cut out and handle at the endpoint access level, to an embedded parameter that might change any business logic.
If you keep the role at the endpoint access level and have two endpoints, you have much more flexibility, your business layer is completely isolated from your security layer.
You can have admins see only the active inventory on some pages and the full inventory on others.
Your tests don't have to worry about if the user is X or Y role
You can add new roles and give them whatever access your want
-- Adding some of the explanation from comments.
With security you are well advised to use a 3rd party out of the box solution rather than write your own. Normally these will plug into your web framework layer allowing you to annotate endpoints with roles or other criteria.
This means each end point can be considered a "permission" than can be assigned to a "role" in an off the shelf Role Based Authentication component.
If instead you pass the role into the business logic and let it conditionally decide what to do, you couple your BL to your security in a complex dependency relationship. You could be ten layers down in some object and find you need to know if the user is an Admin or not. And then worry about how other objects in the call chain have reacted to the user role. The simple definition of "permission" has been lost.
Your code is much less complex when the top level BL call can assume it has all the permissions required to fulfil its function if its been called.
I think the classic example is where you have a call on a website which does different things based on the user, but then you want to make the same call in bulk in an offline batch process which doesn't have a user. If you do the check in the application layer above the BL, it's easy to remove it from the batch process.